Want to learn someone's location? Due to some shoddy programming, a US company that hoards cell phone data accidentally gave anyone the disturbing power to do this.

LocationSmart specializes in collecting cell phone data from US wireless carriers as a way to help businesses understand their customers. According to its website, the California company has location data on over 400 million devices.

However, LocationSmart appears to have been careless with that data. A computer scientist noticed on Wednesday that an online demo for one of the company's services could let anyone plug in a cell phone number, and pull up the device's location.

The searches were supposed to be limited to only cell phone numbers that had granted consent to the location lookups. To do this, the demo would text or call the phone number and request permission from the owner.

Unfortunately, the demo contained a software bug, according to Robert Xiao, a PhD candidate at Carnegie Mellon University. He was digging around the demo and noticed a flaw in the system's API that can let you make cell phone location searches without obtaining the owner's consent.

Xiao disclosed the vulnerability to security journalist Brian Krebs, who verified that the LocationSmart demo could, indeed, pull up someone's approximate location; he and Xiao tested it on five of Krebs' trusted sources.

"One of those sources said the longitude and latitude returned by Xiao's queries came within 100 yards of their then-current location," Krebs wrote on Thursday. "Another source said the location found by the researcher was 1.5 miles away from his current location. The remaining three sources said the location returned for their phones was between approximately 1/5 to 1/3 of a mile at the time."

How long the bug has been around isn't known, but LocationSmart appears to have taken the demo offline.

Xiao was investigating the company amidst news that it was supplying location data to a little-known prison technology firm called Securus Technologies. Last week, a US senator revealed that Securus was also providing cell phone location lookups to law enforcement and correctional officers without a warrant.

So far, LocationSmart and Securus haven't commented. But their practices are raising serious questions over why US wireless carriers are handing so much private data to third-party companies, when no controls appear to be in place.

The major wireless providers haven't detailed their relationships with LocationSmart or Securus. But on Thursday, an AT&T spokesman said: "We don't permit sharing of location information without customer consent or a demand from law enforcement. If we learn that a vendor does not adhere to our policy we will take appropriate action."

Related

UPDATE 5/18/18: In a statement, LocationSmart said: "We have further confirmed that the vulnerability was not exploited prior to May 16thand did not result in any customer information being obtained without their permission."

"On that day (May 16) as many as two dozen subscribers were located by Mr. Xiao through his exploitation of the vulnerability. Based on Mr. Xiao's public statements, we understand that those subscribers were located only after Mr. Xiao personally obtained their consent. LocationSmart is continuing its efforts to verify that not a single subscriber's location was accessed without their consent and that no other vulnerabilities exist. LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process."

About the Author

Michael has been a PCMag reporter since October 2017. He previously covered tech news in China from 2010 to 2015, before moving to San Francisco to write about cybersecurity. He covers a variety of tech news topics, including consumer devices, digital privacy issues, computer hacking, artificial intelligence, online communities and gaming.
Send... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.